Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Script issues?!


  • Please log in to reply
5 replies to this topic

#1 matthewPj

matthewPj

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 18 November 2017 - 01:25 AM

When i got on my mothers computer other day I noticed it was acting kinda odd. So I went diving into the computer's files and paying attention to what kind of issues was happening. Oh, she has a HP Stream 11 Windows 8.1 64 bit.

 

I noticed that there was some possible script processing in the background. Windows Defender will not activate the license due to the signature not correct, windows update doesn't seem right, something fishy about it but it is well was downloading.....something from windows or not.

I have done a few resets on the computer already, knowing wont fix the PC but might get me chance to find the corrupt easier. Seems that Anti virus's is being reconfigured and seem useless. For instance Malwarebytes I installed the service and ran a scan nothing was found not even a cookie. I didn't trust the MB so i installed Chameleon from MB during setup it did not detect MB installed on my PC. I did this process a few times same results.

Mcafee which was a AV that came with the PC, I went ahead and installed Mcafee. Later while looking through Event viewer there was logs that was mentioning about a service is attempting to configure Mcafee , the process has invalid code/signature - allowed access.

 

Anyway, so trying to do the routine of combo fix, hitman pro, etc etc. i dont believe will be of any use. I have used Gmer and mentioned unkown MBR. I did try to install Dr.Web and that sent the PC in a semi loop. Finally after several failed attempts of PC trying to fix the problem. Gave me option to what to do, so I did recovery,......again.

 

This time I was able to find some scripts that was disabling Windows Defender and several other things including something that resembles the FBI's Carnivore as if someone used the Carnivore to hack my mothers PC.

 

Here is a few files of the scripts that I found...........

 

 

 

REM ========================================================
REM   Template Version: 2.00
REM ========================================================

@ECHO OFF
SETLOCAL
SET APP_NAME=TFS - Windows 8.1 HP Image Enhancements - TDC - Disable MS Defender
SET APP_LOG=C:\System.sav\LOGS\BB\%~n0.LOG
IF NOT EXIST C:\System.sav\LOGS\BB MD C:\System.sav\LOGS\BB

ECHO ############################################################# >> %APP_LOG%
ECHO  [%DATE%]                                                     >> %APP_LOG%
ECHO  [%TIME%] Beginning of the %~nx0                              >> %APP_LOG%
ECHO ############################################################# >> %APP_LOG%

REM ------------------- Script Entry ------------------------
ECHO [%TIME%] Start %APP_NAME% >>%APP_LOG%

:DETECTION
findstr.exe /i /x "McAfeeFlag=[0-6]" C:\HP\BIN\RStone_BBV.INI >NUL
IF ERRORLEVEL 1 ECHO Image w/o Mcafee, ignore MS Defender disable. >> %APP_LOG% & GOTO RESULTPASSED

:MIRDETECT
ECHO [%TIME%] MIR Detection >>%APP_LOG%
IF EXIST C:\System.sav\flags\RMinImg.flg ECHO "%APP_NAME%" did not support MIR. >> %APP_LOG% & GOTO RESULTPASSED

:INSTALL
ECHO [%TIME%] Install %APP_NAME% >>%APP_LOG%
IF EXIST C:\System.sav\flags\HAL64.flg (
    start /w C:\SwSetup\DisableDefender\DisableMSDefender64.msi /qn /norestart>> %APP_LOG%
    IF ERRORLEVEL 1 GOTO RESULTFAILED
) ELSE (
    start /w C:\SwSetup\DisableDefender\DisableMSDefender32.msi /qn /norestart>> %APP_LOG%
    IF ERRORLEVEL 1 GOTO RESULTFAILED
)

GOTO RESULTPASSED

:RESULTPASSED
ECHO [%TIME%] Result of the %APP_NAME% >> %APP_LOG%
ECHO RESULT=PASSED >> %APP_LOG%
GOTO END

:RESULTFAILED
ECHO [%TIME%] Result of the %APP_NAME% >> %APP_LOG%
ECHO RESULT=FAILED >> %APP_LOG%
ECHO ERRORLEVEL=%errorlevel% >> %APP_LOG%
GOTO END.

 

 

AND

 

Const CONST_HIDE_WINDOW = 0
Dim oShell, objArgs
Dim strCmd
Dim I

strCmd = ""
Set objArgs = WScript.Arguments
For I = 0 To objArgs.Count - 1
  strCmd = strCmd & " " & objArgs(I)
Next

' Run Command with hidden style
Set oShell = WScript.CreateObject("WScript.shell")
oShell.Run "CMD.exe /c " & strCmd, CONST_HIDE_WINDOW, TRUE
Set oShell = Nothing

WScript.Quit(0)

 

 

--------------------------------

 

CMD1=CheckMachine;; FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD2=InitProgressBar;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD3=HideActivity;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD4=ShowActivity;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD5=SetVar(FBITB.ProcessTools,ErrorFlagPath,C:\CTOERROR.FLG);FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD6=C:\system.sav\fbi\cNBPANIC.BTO;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD7=SetVar(FbiData,ProcessState,InMiniWindows);; FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD8=CMD.exe /c C:\System.sav\ExitProc\UpdError.cmd 951 Started_FUpdate.pi_in_PASS2;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD9=SetVar(FBIData,BTOName,C:\System.sav\P2PP\FixUps);FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD10=ProcessBTOName;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD11=SystemReboot;; FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD12=ACPower;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD13=SetVar(FbiData,ProcessState,FactoryUpdateScripts);FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD14=SetVar(FBIData,BTOName,C:\System.sav\P2PP\FUpdate.Pi);FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD15=ProcessBTOName;FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD16=SystemReboot;; FBI.Init.General - C:\SYSTEM.SAV\FBI\STATE.INI
CMD17=Acpower;FactoryPreinstall.Initialize - C:\SYSTEM.SAV\FBI\STATE.INI
CMD18=HideActivity;FBI.RefreshProgressBar - C:\SYSTEM.SAV\FBI\STATE.INI
CMD19=ShowActivity;FBI.RefreshProgressBar - C:\SYSTEM.SAV\FBI\STATE.INI
CMD20=EnableMouseKeyboard;FactoryPreinstall.Initialize - C:\SYSTEM.SAV\FBI\STATE.INI
CMD21=C:\system.sav\fbi\cNBPANIC.BTO;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD22=SetVar(FBIData,BTOName,C:\System.sav\P2PP\PreInit);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD23=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD24=SetVar(FBIData,BTOName,C:\System.sav\P2PP\PreOS.pi0);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD25=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD26=HideActivity;FBI.RefreshProgressBar - C:\SYSTEM.SAV\FBI\STATE.INI
CMD27=ShowActivity;FBI.RefreshProgressBar - C:\SYSTEM.SAV\FBI\STATE.INI
CMD28=SetVar(FBIData,BTOName,C:\System.sav\P2PP\QFE);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD29=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD30=HideActivity;FBI.RefreshProgressBar - C:\SYSTEM.SAV\FBI\STATE.INI
CMD31=ShowActivity;FBI.RefreshProgressBar - C:\SYSTEM.SAV\FBI\STATE.INI
CMD32=C:\System.sav\P2PP\Init\init.bto;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD33=SetVar(FBIData,BTOName,C:\System.sav\P2PP\FUpdate);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD34=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD35=SetVar(FBIData,BTOName,C:\System.sav\P2PP\FUpdate.EUE);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD36=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD37=CMD.exe /c c:\System.sav\ExitProc\UpdERROR.CMD 952 "Finished - Factory Update phase";FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD38=SetVar(FbiData,ProcessState,OsSetup);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD39=SystemReboot;; FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD40=ACPower;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD41=SetVar(FbiData,ProcessState,PostOsScripts);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD42=InitPostOSVars;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD43=GetOSInfo;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD44=C:\system.sav\fbi\cNBPANIC.BTO;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD45=EnableMouseKeyboard;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD46=SetVar(FBIData,BTOName,C:\System.sav\P2PP\OSUpdate.pi);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD47=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD48=ExitFBI;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD49=SetVar(FBIData,BTOName,C:\System.sav\P2PP\osupdate);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD50=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD51=ExitFBI;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD52=C:\system.sav\fbi\cNBPANIC.BTO;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD53=SetVar(FBIData,BTOName,C:\Appl.zip\PreReq1);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD54=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD55=SetVar(FBIData,BTOName,C:\System.sav\P2PP\PreReq1);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD56=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD57=SetVar(FBIData,BTOName,C:\Appl.zip\PreReq2);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD58=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD59=SetVar(FBIData,BTOName,C:\System.sav\P2PP\PreReq2);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD60=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD61=SetVar(FBIData,BTOName,C:\Appl.zip\drivers);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD62=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD63=SetVar(FBIData,BTOName,C:\System.sav\P2PP\drivers);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD64=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD65=SetVar(FBIData,BTOName,C:\Appl.zip\Audio);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD66=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD67=SetVar(FBIData,BTOName,C:\System.sav\P2PP\Audio);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD68=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD69=SetVar(FBIData,BTOName,C:\Appl.zip\Chipset);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD70=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD71=SetVar(FBIData,BTOName,C:\System.sav\P2PP\Chipset);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD72=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD73=SetVar(FBIData,BTOName,C:\Appl.zip\Graphics);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD74=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD75=SetVar(FBIData,BTOName,C:\System.sav\P2PP\Graphics);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD76=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD77=SetVar(FBIData,BTOName,C:\Appl.zip\TVTuner);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD78=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD79=SetVar(FBIData,BTOName,C:\System.sav\P2PP\TVTuner);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD80=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD81=SetVar(FBIData,BTOName,C:\Appl.zip\InputDevices);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD82=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD83=SetVar(FBIData,BTOName,C:\System.sav\P2PP\InputDevices);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD84=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD85=SetVar(FBIData,BTOName,C:\Appl.zip\Modem);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD86=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD87=SetVar(FBIData,BTOName,C:\System.sav\P2PP\Modem);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD88=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD89=SetVar(FBIData,BTOName,C:\Appl.zip\Network);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD90=ProcessBTOName;FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI
CMD91=SetVar(FBIData,BTOName,C:\System.sav\P2PP\Network);FactoryPreinstall - C:\SYSTEM.SAV\FBI\STATE.INI

 

-----------------------

 

There is a lot of FBI\STATE.INI in the system file it seems that it is reconfiguring olmost everything I found one script that mentioning targeting HP stream 11 from a master account as if there is two computer , both having different serial numbers and everything.

 

 

I can go on and on about issues and possible problems.....like network issues found from packet capturing that includes sending Soap commands coming from the printer that was disabling windows update , etc.

All in all it seems my mothers PC is completely messed up and hacked.

 

I am wondering more so on how if deleting these files will be enough but then there will also be registry issues. I am not fond of editing registry blindly.

 

 

Thanks, if anyone reads this and has any information or ideas or brain storming.



BC AdBot (Login to Remove)

 


#2 Unworn_Kilt

Unworn_Kilt

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:04 AM

Posted 18 November 2017 - 10:56 AM

G'day and Welcome,

 

 

Based on the TEXT you've posted, and bearing in mind I'm only a Standard User, Not a Trained Malware Removal Expert I am limited in what I can do. This is due to Forum Rules.

 

Judging by what I'm seeing in your post, and I have been working with PCs since the 1970s, I reckon what you have there is either a factory Windows 8.1 Upgrade  Installer Script(that would explain the two computers - one used for "mastering". This is the most likely in my opinion. Factory Boot Interface.) Or, it could possibly a First Boot Interface(FBI) script. It's likely it nagged you to create your factory backup discs on First Boot if it's the last option. It seems to be updating the system. Try having a look underneath your computer, assuming it's a laptop, and you MAY find a sticker that says "Upgraded."

 

I hope that's the case and suspect it is. This, however, doesn't mean that your computer does not contain some form of Malware.

 

If you would like to have your computer further investigated, please post another message here and I'll see what we can do.

 

Bear in mind I'm in Australia so our time zones will be out of synch. I do tend to run on USA East Coast times most of the time. Please don't sit there waiting for answers though as I do have to do other things too. The helpers here are volunteers.

 

Please let me know whether you'd like to take this further?

 

 

Cheers,

 

 

 

Kilt.


Edited by Unworn_Kilt, 18 November 2017 - 11:05 AM.

PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 


#3 matthewPj

matthewPj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 18 November 2017 - 01:00 PM

G'day and Welcome,
 

 
 
Kilt.



#4 matthewPj

matthewPj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 18 November 2017 - 01:14 PM

G'day and hellos
I agree it seems like a possible upgrade - enhancement. But seems to be not a real one imo it seems.
There is files that this overwrites like the McAfee one and misspelled McAfee file takes it's place.
Why would a official PC manufacturer disable windows defender and security center. Olmost every pc comes with a free AV trial but I never known this to make windows security to be unable to be used.

There is also multiple network made profiles for the PC that I am uncertain to be able to access or modify.

There is a remote procedure that I am unable to access.

Thanks for the info and assistance.

#5 matthewPj

matthewPj
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:02:04 PM

Posted 18 November 2017 - 01:28 PM

It seems I already double posted by mistake, making this a redundant posting on my behalf.

Maybe I should post somewhere else on how to stop this "enhancement" properly without it coming back and messing up the OS.

#6 Unworn_Kilt

Unworn_Kilt

  • Members
  • 237 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Australia
  • Local time:06:04 AM

Posted 21 November 2017 - 12:24 PM

G'day Matthew,

 

 

If I were you, I'd go HERE and post a message saying that I'm going to be away for a few days, that you've waited 3 days, and see if you can have your topic "Bumped."

 

That way you'll likely get help a little faster as you've been waiting a while. I've been away due to a venomous spider bite and will be another couple of days.

 

Good luck and I hope you get it sorted. Everyone is very busy at the moment but I hope there won't be too much delay.

 

Feel free to PM me and let me know how you got on. (I'm genuinely interested.)

 

 

Best,

 

 

Kilt.


PLEASE NOTE

 

I am only a Standard Member,  NOT a Trained Malware Removal Expert. If you have ANY concerns regarding any advice I may give, please contact a Member of Staff before making changes.

 

Thanks!

 

 

** Walk Softly and Carry a Big Stick **

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users